Botnet Reporting

Contents

Botnet Tracking, Reporting, and Termination

Aim

To locate and report fast-flux hosts so they can be disinfected. The project is codenamed BRAT for Botnet Reporting And Termination.

Method

The method involves performing address lookups on host names for each known botnet, accumulating the data, and
reporting the infections to the contact for each Autonomous System contact where the infection is detected.

Data Collection

By examining existing spammed URLs, and checking the site's DNS SOA, one can determine if they have a short TTL.
By performing a "host" lookup and counting the number of Address records, one can determine multi-hosted sites.
These two methods allow you to distinguish single hosts from botnet hosts.

Once a fast-flux candidate is found, it can be used as a "probe" to log the botnet's fast-flux IP addresses.

A collection of probes is placed into a control file as a set of site names. By issuing a "host" command
for each probe on a regular cyclic basis, the IPs can be detected and logged with a date/time stamp.
The probe cycle time is selected according to the fast-flux TTL (If the TTL is 3 minutes, probe every 3 minutes for new addresses).

Probes are categorised by

Cycle time (eg 0, 1, 3, 5, 10, 30 minutes) - [Cycle time is used to select the probe rate].

Accumulation

Each probe log is processed. For each IP discovered, the FIRST SEEN timestamp, LAST SEEN timestamp, and NUMBER OF SIGHTINGS is
accumulated. Then, each IP is used to look up the ASN number, ISO country code, Reverse IP PTR, and ASN description.
These fields are appended to each IP's line item. All of the results for common categories of hosting function are merged into
one reporting file. There will be one merged file for spam operations, one for storm infection distributors etc.

Reporting

A table of primary abuse / security email addresses is maintained for each ASN.
For each merged file, template reporting messages are prepared and sent to each ASN contact. Where one contact has multiple ASNs,
these are rolled together into the same report. This gives each recipient a full picture of the penetration of the infections
within their total network.

Statistics

For 24 hours of probing a 0-TTL fast-flux distributor of Storm there will be approximately 3,000 IPs detected, spread over
approximately 500 ASNs.

For the same period, probes of 8 fast-flux botnets ranging from 1-10 minute cycles will detect approximately 2,000 IPs, spread
over approximately 300 ASNs.

In total, the probe method can accumulate 5,000 IPs per day, or 35,000 per week.

Results

Reporting using this methodology started on Sept 20, 2007. Over the intervening period, the number of botnets being probed has climbed from 3 to 9 as of November 1.